I hack, therefore I am

Friday, March 1, 2019

If a thorough cybersecurity audit isn’t a part of your mergers and acquisitions due diligence process, I think it should be. I’m not talking about the kind of halfhearted scan that checks a box for the board of directors. There’s too much at stake to do anything less than a deep examination of all network and endpoint elements that can reveal undetected compromises and lurking threats.

Global mergers and acquisitions activity in the first three quarters of 2018 was valued at $3.3 trillion. That’s a lot of capital in play, and for every deal made, the due diligence process focuses on finances and compliance to ensure that the acquiring party knows as much about the target organization as possible. Due diligence is necessary to set a fair price, protect shareholder interests and establish confidence that the purchase makes sense — or not. Due diligence also gives management a basis from which to establish a strategy for successful business and market integration.

Wednesday, December 12, 2018

In our efforts to stay one step ahead of the global criminal hacker cabal, my colleagues and I in the ethical hacker community try to approach our craft like our adversaries. To paraphrase Carl Spackler, we know that, in order to conquer the hacker, we have to learn to think like hackers. We’ve got to get inside the hacker’s pelt and crawl around. When you do that, you develop a begrudging respect for them.

In popular culture, however, criminal hackers can become mythologized, not unlike the way the bank robbers of old were. Despite their chosen professions, the likes of John Dillinger, Bonnie and Clyde, Baby Face Nelson and Ma Barker were sometimes regarded as modern-day Robin Hoods. They were the little guys taking on the rich and powerful with daring and panache. Even when caught, they’d often revel in the attention. When asked why he robbed banks, the infamous “Slick” Willie Sutton supposedly quipped, “Because that’s where the money is.”

That may have been true in the first half of the last century, but not anymore.

Friday, August 24, 2018

We’re all familiar with the idea of recycling as a means of reducing the waste stream. Most of us are in the habit of separating our paper, plastic, glass and metal trash from other garbage. What you may not know is that recycling is a major trend in the hacker community, too. Many of the data breaches that have struck in recent years were accomplished using software that has been around for a long time -- today’s hack, yesterday’s technique.

Tools that have been proven effective at fooling users and sneaking past network defenses are regularly reused by hackers. Whether the software was developed specifically for hacking or as a tool with a legitimate purpose that has been adapted for a less savory one, the hacker community has become expert at extracting value from what already exists. As with commercial software development, it takes time and money for hackers to write and test their code, and in order to maximize their profits, it makes sense to recycle what works. Often, these tried-and-true products are packaged and sold to others, furthering their potential to do harm.

Wednesday, June 6, 2018

You almost have to admire the hackers. Almost. Technology research firm Gartner (via Forbes) estimates that companies will spend $93 billion on cybersecurity technologies in 2018. Yet, according to a recent study by security firm Norton (via MIT Technology Review), the relentless efforts of the global hacking community still netted $172 billion in ill-gotten gains. There’s no indication that things will be any different this year. Why do the hackers continue to succeed? What must industry do to make hacking a less profitable venture for the adversary?

To better understand and answer these questions, it’s useful to examine the hackers’ successes and look for consistencies. But first, let’s define a word that is often misused or misunderstood in cybersecurity discussions: vulnerability.

Thursday, February 16, 2017

Chicago in the 1930s was a hive of organized crime where the bad guys always had the upper hand. As dramatized by the film "The Untouchables," lawman Eliot Ness confides to Officer Jim Malone that he is prepared to do “everything within the law” to take down Al Capone. But streetwise Malone tells Ness that, to win, he must be prepared to do more. “He pulls a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue. That’s the Chicago way.”

Like ‘30s Chicago, the dark web is crawling with global crime syndicates, and everyone I've talked to says fighting the Chicago way sounds appealing. The problem is that the same laws that make hacking a crime also make it a crime to retaliate.

Wednesday, July 13, 2016

Fuzzing is a technique in software testing where you generate a number of random inputs, and see how a program handles it. So what does a testing technique have to do with a process such as the Cyber Kill Chain as developed by Lockheed Martin? Easy! Just as fuzzing a software produces resilient software, fuzzing a process will produce a validated process. The Kill Chain takes about seven steps that adversaries must complete in order to achieve their goals, but will it always be the case? Can an attacker pull off a successful attack with just one step? Or three? That’s what we’re going to fuzz out ...

(Again, in order to avoid cross-posting between the different blogs, that was just a brief paragraph and a link to the original post is below).

Wednesday, December 2, 2015

I've started blogging again! In order to avoid cross-posting between the different blogs, I'll just give a brief paragraph and a link back to the original post. Here we go:

Getting into a network and getting data out of a network are two different challenges. Just because an employee clicked on a malicious link and got hacked, it doesn’t mean the attacker gets to walk off with PII, Financials, Source Code etc. In this blog post, we’ll explore the known breach method of using ICMP protocol for data exfiltration but with a twist. Instead of showing how to use this breach method with some custom made tools, we’re going to do it using the default and common ping utility– red team style!